Oracle Roles and Users audit report
I have often used following procedure to create list of roles & corresponding users mapped into it. This was then used to email business owners as well as for user accesss auditing.
-- Package Name : users_granted_role
-- This package was created to spool user and their respective Privs from oracle data Dictionary.
CREATE OR REPLACE PACKAGE users_granted_role
IS
procedure write_op (pv_str in varchar2);
function user_or_role(pv_grantee in dba_users.username%type) return varchar2;
function role_pwd(pv_role in dba_roles.role%type) return varchar2;
procedure get_users(pv_grantee in dba_roles.role%type,pv_tabstop in out number);
procedure get_role (pv_role in varchar2);
Procedure extract_user_role_details;
END users_granted_role;
/
create or replace package body users_granted_role
IS
output_method varchar2(1) :='S';
skip_user varchar2(1) := 'N';
user_to_skip varchar2(20) :='TEST%';
--
lg_fptr utl_file.file_type;
lv_file_or_screen varchar2(1):='S';
v_tag VARCHAR2(8);
v_filename VARCHAR2(30);
v_today VARCHAR2(8);
--
cursor find_all_roles is
Select role
from dba_roles;
--
procedure write_op (pv_str in varchar2) is
begin
v_today := TO_CHAR(sysdate,'YYYYMMDD');
v_tag := 'UserPriv';
v_filename := 'User_Privileges'|| v_today;
if lv_file_or_screen='S' then
dbms_output.put_line(v_tag || v_filename||' '||pv_str);
else
utl_file.put_line(lg_fptr,pv_str);
end if;
exception
when utl_file.invalid_path then
dbms_output.put_line('invalid path');
when utl_file.invalid_mode then
dbms_output.put_line('invalid mode');
when utl_file.invalid_filehandle then
dbms_output.put_line('invalid filehandle');
when utl_file.invalid_operation then
dbms_output.put_line('invalid operation');
when utl_file.read_error then
dbms_output.put_line('read error');
when utl_file.write_error then
dbms_output.put_line('write error');
when utl_file.internal_error then
dbms_output.put_line('internal error');
when others then
dbms_output.put_line('ERROR (write_op) => '||sqlcode);
dbms_output.put_line('MSG (write_op) => '||sqlerrm);
end write_op;
--
function user_or_role(pv_grantee in dba_users.username%type) return varchar2 is
--
cursor c_use (cp_grantee in dba_users.username%type) is
select 'USER' userrole
from dba_users u
where u.username=cp_grantee
union
select 'ROLE' userrole
from dba_roles r
where r.role=cp_grantee;
--
lv_use c_use%rowtype;
--
begin
open c_use(pv_grantee);
fetch c_use into lv_use;
close c_use;
return lv_use.userrole;
exception
when others then
dbms_output.put_line('ERROR (user_or_role) => '||sqlcode);
dbms_output.put_line('MSG (user_or_role) => '||sqlerrm);
end user_or_role;
-----------------
function role_pwd(pv_role in dba_roles.role%type) return varchar2 is
--
cursor c_role(cp_role in dba_roles.role%type) is
select r.password_required
from dba_roles r
where r.role=cp_role;
--
lv_role c_role%rowtype;
--
begin
open c_role(pv_role);
fetch c_role into lv_role;
close c_role;
return lv_role.password_required;
exception
when others then null;
--dbms_output.put_line('ERROR (role_pwd) => '||sqlcode);
--dbms_output.put_line('MSG (role_pwd) => '||sqlerrm);
end role_pwd;
--
procedure get_users(pv_grantee in dba_roles.role%type,pv_tabstop in out number) is
--
lv_tab varchar2(50):='';
lv_loop number;
lv_user_or_role dba_users.username%type;
--
cursor c_user (cp_username in dba_role_privs.grantee%type) is
select d.grantee,
d.admin_option
from dba_role_privs d
where d.granted_role=cp_username;
--
begin
pv_tabstop:=pv_tabstop+1;
for lv_loop in 1..pv_tabstop loop
lv_tab:=lv_tab||chr(9);
end loop;
for lv_user in c_user(pv_grantee) loop
lv_user_or_role:=user_or_role(lv_user.grantee);
if lv_user_or_role = 'ROLE' then
if lv_user.grantee = 'PUBLIC' then
write_op(lv_tab||'Role => '||lv_user.grantee
||' (ADM = '||lv_user.admin_option
||'|PWD = '||role_pwd(lv_user.grantee)||')');
else
write_op(lv_tab||'Role => '||lv_user.grantee
||' (ADM = '||lv_user.admin_option
||'|PWD = '||role_pwd(lv_user.grantee)||')'
||' which is granted to =>');
end if;
get_users(lv_user.grantee,pv_tabstop);
else
if upper(skip_user) = 'Y' and lv_user.grantee like upper(user_to_skip) then
null;
else
write_op(lv_tab||'User => '||lv_user.grantee
||' (ADM = '||lv_user.admin_option||')');
end if;
end if;
end loop;
pv_tabstop:=pv_tabstop-1;
lv_tab:='';
exception
when others then
dbms_output.put_line('ERROR (get_users) => '||sqlcode);
dbms_output.put_line('MSG (get_users) => '||sqlerrm);
end get_users;
----
procedure get_role (pv_role in varchar2) is
--
cursor c_main (cp_role in varchar2) is
select p.grantee,
p.admin_option
from dba_role_privs p
where p.granted_role=cp_role;
--
lv_userrole dba_users.username%type;
lv_tabstop number;
--
--
begin
lv_tabstop:=1;
for lv_main in c_main(pv_role) loop
lv_userrole:=user_or_role(lv_main.grantee);
if lv_userrole='USER' then
if upper(skip_user) = 'Y' and lv_main.grantee like upper(user_to_skip) then
null;
else
write_op(chr(9)||'User => '||lv_main.grantee
||' (ADM = '||lv_main.admin_option||')');
end if;
else
if lv_main.grantee='PUBLIC' then
write_op(chr(9)||'Role => '||lv_main.grantee
||' (ADM = '||lv_main.admin_option
||'|PWD = '||role_pwd(lv_main.grantee)||')');
else
write_op(chr(9)||'Role => '||lv_main.grantee
||' (ADM = '||lv_main.admin_option
||'|PWD = '||role_pwd(lv_main.grantee)||')'
||' which is granted to =>');
end if;
get_users(lv_main.grantee,lv_tabstop);
end if;
end loop;
exception
when others then
dbms_output.put_line('ERROR (get_role) => '||sqlcode);
dbms_output.put_line('MSG (get_role) => '||sqlerrm);
end get_role;
Procedure extract_user_role_details is
begin
write_op('Users_granted_role: Release 1.0 - Author : Sagar PATIL on '|| sysdate);
for role_to_find in find_all_roles loop
lv_file_or_screen:= upper(output_method);
write_op(chr(10));
write_op('Investigating Role => '||upper(role_to_find.role)||' (PWD = '
||role_pwd(upper(role_to_find.role))||') which is granted to =>');
write_op('====================================================================');
get_role(upper(role_to_find.role));
end loop;
exception
when others then
dbms_output.put_line('ERROR (main) => '||sqlcode);
dbms_output.put_line('MSG (main) => '||sqlerrm);
end extract_user_role_details;
end;
/
Run it as below
SQL> spool list_of_users.lst SQL> set serveroutput on size 20000; SQL> exec users_granted_role.extract_user_role_details; UserPrivUser_Privileges20101026 Investigating Role => CONNECT (PWD = NO) which is granted to => ==================================================================== UserPrivUser_Privileges20101026 User => WMSYS (ADM = NO) UserPrivUser_Privileges20101026 User => SPATIAL_CSW_ADMIN_USR (ADM = NO) UserPrivUser_Privileges20101026 User => SYSMAN (ADM = NO) UserPrivUser_Privileges20101026 User => GRIDCONTROL (ADM = NO) UserPrivUser_Privileges20101026 User => RMAN (ADM = NO) UserPrivUser_Privileges20101026 User => MDDATA (ADM = NO) UserPrivUser_Privileges20101026 User => OWBSYS (ADM = YES) UserPrivUser_Privileges20101026 User => SYSMAN_MDS (ADM = NO) UserPrivUser_Privileges20101026 User => SYS (ADM = YES) UserPrivUser_Privileges20101026 User => MDSYS (ADM = NO) UserPrivUser_Privileges20101026 User => SPATIAL_WFS_ADMIN_USR (ADM = NO) UserPrivUser_Privileges20101026 User => APEX_030200 (ADM = YES) UserPrivUser_Privileges20101026 User => SCOTT (ADM = NO) UserPrivUser_Privileges20101026 UserPrivUser_Privileges20101026 Investigating Role => RESOURCE (PWD = NO) which is granted to => ==================================================================== UserPrivUser_Privileges20101026 User => WMSYS (ADM = NO) UserPrivUser_Privileges20101026 User => SCOTT (ADM = NO) UserPrivUser_Privileges20101026 User => SPATIAL_CSW_ADMIN_USR (ADM = NO) UserPrivUser_Privileges20101026 User => RMAN (ADM = NO) UserPrivUser_Privileges20101026 Role => LOGSTDBY_ADMINISTRATOR (ADM = NO|PWD =NO) which is granted to => UserPrivUser_Privileges20101026 User => SYS (ADM = YES) UserPrivUser_Privileges20101026 User => EXFSYS (ADM = NO) UserPrivUser_Privileges20101026 User => SPATIAL_WFS_ADMIN_USR (ADM = NO) UserPrivUser_Privileges20101026 User => CTXSYS (ADM = NO) UserPrivUser_Privileges20101026 User => OLAPSYS (ADM = NO) UserPrivUser_Privileges20101026 User => MDSYS (ADM = NO) UserPrivUser_Privileges20101026 User => SYSMAN_MDS (ADM = NO) UserPrivUser_Privileges20101026 User => XDB (ADM = NO) UserPrivUser_Privileges20101026 User => APEX_030200 (ADM = YES) UserPrivUser_Privileges20101026 User => SYS (ADM = YES) UserPrivUser_Privileges20101026 User => SYSMAN (ADM = NO) UserPrivUser_Privileges20101026 User => OUTLN (ADM = NO) UserPrivUser_Privileges20101026 User => MDDATA (ADM = NO)PL/SQL procedure successfully completed. SQL> spool off;
Leave a Reply
You must be logged in to post a comment.